Question Saftey of using Symantec endpoint protection

[Parkinsond]

This is almost certainly not Google itself scanning you maliciously — but rather one of the following:

Most Likely: STUN / WebRTC Traffic​

The ports you listed and the fact it’s UDP traffic strongly suggest this is STUN (Session Traversal Utilities for NAT) traffic, typically used by:

• Google Chrome
• WebRTC (video/audio calling)
• Google Meet, Discord, Zoom, or any web app using peer-to-peer connections

This type of traffic happens when a site tries to establish a peer-to-peer connection — and Chrome (or another app) contacts a Google STUN server to determine your external IP and open ports. It might look like a scan, but it's just part of WebRTC trying to make NAT traversal work.

https://chatgpt.com/c/683c2a26-faf8-8002-ac62-859898f9bffe

 

[Victor M]

I thinik your modem+router is not doing anything to stop the scans or else it would not have reached your PC.
I think your chatgpt is trying to second guess the traffic as legit and offerring you possibilities. Historically, STUN is used for some VOIP setups. Don't know much about WebRTC, example like MS Teams I think.

Neither Google nor Cloudflare has any business scanning your UDP High ports. I don't think the traffic came from them.
I would igmore the scans for now. Maybe note their ip addresses and check your logs again later.

 

[Victor M]

However, if you Prefer that nobody bothers you with scans or Prefer that nobody touches your PC's then you could invest in a hardware firewall.

My preferred method of deciding whether you should invest in security is to rate and classify your data into top secret, secret, classified, sensitvie and public etc. Then if you find you have a lot to protect then invest in security. I don't agree with the method that one should rank your risks, because ranking risks are an Estimation of the Probabiliy of an attack, threat x vulnerability ( 2 levels of guesses, and you could guess wrongly, and those 2 things change ) . I would say if this and this data is important and secret, then protect it, allocate funds as to the level of classification.

 

[Fan-of-spyshelter]

hmm...

this domain is verry supicious : "*.1e100.net"

with all thoses proxies in total of 8 !!

let's investigate further :

if you have just a private computer,
you need to check with witch process is linked your computer to see if this is legit INbound&/OR OUTbound monitoring tool.
i mean with there ip adress you describe, no matter what router you have,

because normally when it reach your routing device, your computer is also informed (how many bytes sended - how many bytes received)

i have done an example of remote tracing for you :

___________________________________________

after this tracing you can :

first,

Phone to the I.S.P or send a complain from the server AS15169 in the NS1 cluster of google - to the registar MarkMonitor Inc. -> abusecomplaints@markmonitor.com :

next,

if you have no answer in 24 hours in the open day - go there :

ICANN Lookup

The ICANN registration data lookup tool gives you the ability to look up the current registration data for domain names and Internet number resources.

lookup.icann.org

send the query you have on the lookup for each suspicious IP adress : if it does not exist it mean the domain is not officially registered (no matter the reason),

this is the real domain after searching it :

https://www.icann.org/en/contracted-parties/accredited-registrars/list-of-accredited-registrars?page=1&iana-number=292

Prudence Malinki
Tel: +1 2083895740
prudence.malinki@markmonitor.com (real registar)

ask them if they own the "1e100.net" domain ? if no ?

then only you can bring your complain to google. (ask them to blacklist the domain *.1e100.net to the registrant used before from the AS15169)

you can use a screenshot from ICANN for the non existent domain and the answer of the real registar.

___________________________________________________________

after this suspicious beneath ip will be vanished from your endpoint protection

1	unknown	10.10.40.30 (mine).	0.181 ms
2	xe-0-1-4.0.MI3-E5-E02.09-39.a2webhosting.com	69.48.136.4	0.296 ms
3	ae1.0.MI3-E5-E02.09-37.a2webhosting.com	69.48.136.14	0.262 ms
4	static.det-ix.net	209.124.52.21	6.698 ms
5	unknown	192.178.249.227	6.140 ms
6	unknown	192.178.249.208	6.853 ms
7	unknown	142.251.234.29	6.954 ms
8	unknown	192.178.81.236	254.982 ms
9	unknown	192.178.81.47	95.626 ms
10	unknown	192.178.252.188	152.062 ms
11	unknown	192.178.104.29	94.853 ms
12	unknown	142.251.64.127	94.543 ms
13	par21s23-in-f10.1e100.net	142.250.201.170	95.110 ms
142.250.201.170

 

[Parkinsond]

Ditched K, B, and SEP; back to MD and WF.
I have no valuable stuff on my PC to force me tolerate the hassle of meticulous cyber security

 

[Fan-of-spyshelter]

Ditched K, B, and SEP; back to MD and WF.
I have no valuable stuff on my PC to force me tolerate the hassle of meticulous cyber security

I understand your point of view,

but you don't protect your system only from your self,
but also for all the people using your router especially if there is a wifi coupled with this router,
an unguarded system is a loaded weapon left in a public place even if you have a old pc.

what is public for an attacker can be exploited for a personal use.

friend security is not about paranoia but about responsibility,
so the minimum thing you can do is to use a DMZ to isolate other machine from your's if there is multiple user on your DHCP

 

[Parkinsond]

I understand your point of view,

but you don't protect your system only from your self,
but also for all the people using your router especially if there is a wifi coupled with this router,
an unguarded system is a loaded weapon left in a public place even if you have a old pc.

what is public for an attacker can be exploited for a personal use.

friend security is not about paranoia but about responsibility,
so the minimum thing you can do is to use a DMZ to isolate other machine from your's if there is multiple user on your DHCP

My modem router firewall is set to max; what else I can do?
I live alone.

 

[Victor M]

Well, when you don't look, you won't know. And it seems like the whole LAN is susceptible to scans. Are you sure the other PC's in your LAN should be treated the same?

 

[Parkinsond]

Well, when you don't look, you won't know. And it seems like the whole LAN is susceptible to scans. Are you sure the other PC's in your LAN should be treated the same?

The other PC is turned off most of time; it is a backup one for emergency.
I live alone; no one is using internet but me; my son shares using for only a one month duration or less during the summer vacation, and he also has nothing valuable on PC, except for his games

 

[Parkinsond]

Well, when you don't look, you won't know. And it seems like the whole LAN is susceptible to scans. Are you sure the other PC's in your LAN should be treated the same?

I think it is a mis-reporting by SEP; K was set to monitor for port scanning and it did not alarm.

 

[Victor M]

My modem router firewall is set to max; what else I can do?

If you have another old desktop, add a 2nd NIC, and it could run pfsense firewall. That would make it a standalone hardware firewall.

 

[Fan-of-spyshelter]

what do you mean by set to max ? do you have some screenshot ?
i believe it is but in a random hidden configuration you give it to symantec

 

[Parkinsond]

If you have another old desktop, add a 2nd NIC, and it could run pfsense firewall. That would make it a standalone hardware firewall.

How much it will cost? my two PCs altogether costed me 100 USD

 

[Parkinsond]

what do you mean by set to max ? do you have some screenshot ?
i believe it is but in a random hidden configuration you give it to symantec

 

[Fan-of-spyshelter]

ok... what other configuration do you have on your router "firewall" ? advanced configuration i mean ...

do you have a manual ? where can i find it ?

and last thing, did you buy this router, or is it with your ISP, provided for u internet connection,

you need admin access.

 

[Parkinsond]

ok... what other configuration do you have on your router "firewall" ? advanced configuration i mean ...

do you have a manual ? where can i find it ?

and last thing, did you buy this router, or is it with your ISP, provided for u internet connection,

you need admin access.

Unfortunately, it is the one provided by ISP.
I cannot remove remote management settings (greyed out), so I added block rules for port 80 and 21 (outbound; all inbound is blocked) to WF.

 

[Fan-of-spyshelter]

@Parkinsond , Set to max, huh? ... x)

Okay, friend — if you don't want to take responsibility,
you should officially inform your ISP that someone was scanning your ports,
attempting to access your machine.

Changing ports does nothing to stop an attacker.
It’s like painting an object green instead of red —
they’ll still scan the same IP across all ports.

Your ISP already has a DMZ set up for their own infrastructure as a large organization.
Ask them to configure one for you, if you don’t want to secure your own device directly.

Have a nice day.

 

[Parkinsond]

@Parkinsond , Set to max, huh? ... x)

Okay, friend — if you don't want to take responsibility,
you should officially inform your ISP that someone was scanning your ports,
attempting to access your machine.

Changing ports does nothing to stop an attacker.
It’s like painting an object green instead of red —
they’ll still scan the same IP across all ports.

Your ISP already has a DMZ set up for their own infrastructure as a large organization.
Ask them to configure one for you, if you don’t want to secure your own device directly.

Have a nice day.

ISP tech support is pathetic; I have to do it myself, but I do not how.
I suspect the reporting by SEP is not precise.
Have a nice day, too, my friend.

 

[Victor M]

How much it will cost?

I have found very old PC's being given away or selling for USD $40 on Kajiji. Prices fluctuate. Kajiji is a site for local trading - you may have one near your city. You don't need a powerful pc for a friewall. I have used a Pentium for pfsense. There is also Opnsense, take your pick.

And why are we talking about DMZ all of a sudden? In my experience the demilitarazed zone is for hardened web servers that must be open to the public or for sacrificial honey pots intended for studying adversaries.

 

[Vitali Ortzi]

I have found very old PC's being given away or selling for USD $40 on Kajiji. Prices fluctuate. Kajiji is a site for local trading - you may have one near your city. You don't need a powerful pc for a friewall. I have used a Pentium for pfsense. There is also Opnsense, take your pick.

And why are we talking about DMZ all of a sudden? In my experience the demilitarazed zone is for hardened web servers that must be open to the public or for sacrificial honey pots intended for studying adversaries.

Sophos home is great too for non open source firewall